Become a Fan

September 26, 2012

Spammers hijacked my email account - ignore "emergency" (UPDATED)

On Friday morning I was unable to sign on to my AOL email account. It didn’t recognize my password. When I tried to change it, I found that the security questions and answers also were different.

The result: I was locked out of the account, which started sending “emergency” messages to everybody on my email list, claiming (in my name) that I was stranded in Malaysia and needed money fast to get back to London.

Fortunately, I think most people are aware that this is a common scam and would assume that if I really needed $3000 immediately I would turn to family members or one or two close friends. Even so, there are kind people who will help anybody they think is in need, which is why this scam does work sometimes.

AOL has been no help whatsoever. They said to access my account I’d have to answer the security questions, starting with my city of birth. I told the call center person the city. “That’s wrong,” she said. “You have two more guesses.” I told her I don’t need to guess my city of birth, it was what I told her. “Then I’m sorry but you can’t access the account.”

I explained that somebody had changed the security question answers. “Oh no,” she said, “that’s really hard to do. Good-bye.” (Once you know the password, it’s simple to change those answers—takes about two clicks.)

I called back and asked to speak to a supervisor. None available, good-bye.

I went online to the live chat with an AOL rep. As soon as I gave them my name and email address they cut me off. Obviously the previous reps put a note in my file.

I’ve warned as many people as I could, notified the FBI and Western Union, and had an expert check out the hard drive. It was clean. He reckons the hackers had compromised the hotel internet connection (unusually, the hotel had no wifi, but an Ethernet cable that you plug into your computer).

The hackers also got into my Facebook account (I didn’t use the same password but it wasn’t totally different, either, so I guess their systems figured it out pretty easily) and I’ve suspended that account.

With the computer expert's help I was able to secure my Gmail account, but he couldn't get me back on my AOL account. My battle with AOL continues. The call centers are hopeless, AOL US says it can't even access the information on an AOL UK account, the UK numbers are not accessible from the US (where I am at the moment).

The hackers are sending repeat messages to my list, fortunately with rather bad grammar.

This is terribly frustraiting, as I'm sure you can imagine.

The moral of the story? Several.

One is to use better passwords. For the sake of making them easy to remember, I ended up with simple passwords. They weren't all alike but they did all use the none-too-sophisticated system.

In the many hours I’ve spent trying to figure out what’s going on and how to deal with it, I’ve read a lot about how using hotel and other wifi or Ethernet systems can make you vulnerable. The computer expert suggested setting up a system that encrypts all internet traffic from your computer when you away from your normal, secure wifi system. He also suggests getting a plan with a phone company that allows you to set up your own personal wifi with a dongle you plug into a USB port.

How did the hackers get my password? I was at the Luxor Hotel in Las Vegas, where there was only wired (Ethernet) access to the web. Podcaster Steve Gibson says, "

"Essentially, there is absolutely no security with Ethernet. The assumption always was that it would be used in a LAN setting where you knew and trusted everybody on the network. You were one big happy company..."he said. Someone can get in the middle of all Internet conversations. Web pages, email messages and everything else coming and going to the Internet can be intercepted and logged."

UPDATE: I finally had a call from a very helpful AOL representative who arranged for the account to be returned to me and secured. Guess how it came to his attention. Yes, via this blog (not the dozens of phone calls I made)!

I suggested that AOl train their call center people to give out the phone number of the fraud departmantes in the US and a number for that department in the UK and Europe. It looks like everything is back to normal and I think I have most of my messages back. Thank you for your suggestions, I am implementing them.

If, like me, you're automatically backing up all your files be aware that probably that doesn't include your emails. A hacker can wipe out your entire backlog of emails with one click. That includes those you've put into different categories for later reference.

Another moral: if you’re still using AOL, switch!

Ps: Lifehacker featured an article on the most used PINs and numeric passwords. More than 10% of people use 1234. Also high on the list and not recommended: 1111, 0000, 1212, 7777, 1004, 2000, and 4444 (or any four of the same number).

Comments

On Friday morning I was unable to sign on to my AOL email account. It didn’t recognize my password. When I tried to change it, I found that the security questions and answers also were different.

The result: I was locked out of the account, which started sending “emergency” messages to everybody on my email list, claiming (in my name) that I was stranded in Malaysia and needed money fast to get back to London.

Fortunately, I think most people are aware that this is a common scam and would assume that if I really needed $3000 immediately I would turn to family members or one or two close friends. Even so, there are kind people who will help anybody they think is in need, which is why this scam does work sometimes.

AOL has been no help whatsoever. They said to access my account I’d have to answer the security questions, starting with my city of birth. I told the call center person the city. “That’s wrong,” she said. “You have two more guesses.” I told her I don’t need to guess my city of birth, it was what I told her. “Then I’m sorry but you can’t access the account.”

I explained that somebody had changed the security question answers. “Oh no,” she said, “that’s really hard to do. Good-bye.” (Once you know the password, it’s simple to change those answers—takes about two clicks.)

I called back and asked to speak to a supervisor. None available, good-bye.

I went online to the live chat with an AOL rep. As soon as I gave them my name and email address they cut me off. Obviously the previous reps put a note in my file.

I’ve warned as many people as I could, notified the FBI and Western Union, and had an expert check out the hard drive. It was clean. He reckons the hackers had compromised the hotel internet connection (unusually, the hotel had no wifi, but an Ethernet cable that you plug into your computer).

The hackers also got into my Facebook account (I didn’t use the same password but it wasn’t totally different, either, so I guess their systems figured it out pretty easily) and I’ve suspended that account.

With the computer expert's help I was able to secure my Gmail account, but he couldn't get me back on my AOL account. My battle with AOL continues. The call centers are hopeless, AOL US says it can't even access the information on an AOL UK account, the UK numbers are not accessible from the US (where I am at the moment).

The hackers are sending repeat messages to my list, fortunately with rather bad grammar.

This is terribly frustraiting, as I'm sure you can imagine.

The moral of the story? Several.

One is to use better passwords. For the sake of making them easy to remember, I ended up with simple passwords. They weren't all alike but they did all use the none-too-sophisticated system.

In the many hours I’ve spent trying to figure out what’s going on and how to deal with it, I’ve read a lot about how using hotel and other wifi or Ethernet systems can make you vulnerable. The computer expert suggested setting up a system that encrypts all internet traffic from your computer when you away from your normal, secure wifi system. He also suggests getting a plan with a phone company that allows you to set up your own personal wifi with a dongle you plug into a USB port.

How did the hackers get my password? I was at the Luxor Hotel in Las Vegas, where there was only wired (Ethernet) access to the web. Podcaster Steve Gibson says, "

"Essentially, there is absolutely no security with Ethernet. The assumption always was that it would be used in a LAN setting where you knew and trusted everybody on the network. You were one big happy company..."he said. Someone can get in the middle of all Internet conversations. Web pages, email messages and everything else coming and going to the Internet can be intercepted and logged."

UPDATE: I finally had a call from a very helpful AOL representative who arranged for the account to be returned to me and secured. Guess how it came to his attention. Yes, via this blog (not the dozens of phone calls I made)!

I suggested that AOl train their call center people to give out the phone number of the fraud departmantes in the US and a number for that department in the UK and Europe. It looks like everything is back to normal and I think I have most of my messages back. Thank you for your suggestions, I am implementing them.

If, like me, you're automatically backing up all your files be aware that probably that doesn't include your emails. A hacker can wipe out your entire backlog of emails with one click. That includes those you've put into different categories for later reference.

Another moral: if you’re still using AOL, switch!

Ps: Lifehacker featured an article on the most used PINs and numeric passwords. More than 10% of people use 1234. Also high on the list and not recommended: 1111, 0000, 1212, 7777, 1004, 2000, and 4444 (or any four of the same number).